-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3/11/2014 11:12 a.m., James Lay wrote: > A weird question....I guess I need to find out exactly what I'm > wanting before going further with trying to get peek to work. So > here's a small example of what I currently have. From my .conf > file: > > acl broken_sites dst 23.192.0.0/11 http_access allow broken_sites > ssl_bump splice broken_sites > > logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st > %Ss:% Sh %ssl::>cert_subject > > This currently works (no cert_subject though)...log entry shown: > > Nov 2 14:23:24 gateway (squid-1): 192.168.1.102 - - > [02/Nov/2014:14:23:24 -0700] "CONNECT 23.211.233.155:443 HTTP/1.1" > 200 4229 TCP_TUNNEL:ORIGINAL_DST - The TCP_TUNNEL tag shows that no bumping was done. Thus no details from inside the TLS transaction are available. "ssl_bump splice" means the same as "ssl_bump none" ... use the non-bumped CONNECT handling. > > Now this is required as the above will not function if bumped. > > At work, we use a commercial proxy which we do not use any ssl > inspection. These connections show up as, for example: > > tcp://www.whateversite.com TCP_DENIED > > And that's what I'm hoping to achieve here...determine what the > site is, and allow or denied it, without having to actually do any > SSL inspection. Will peek/stare accomplish this? Or am I > restricted to bump/inspection only, which for a fair amount of > sites (facebook, instagram, google mail, etc) does not work. > Thanks all...I appreciate any advice. That depends on how you define "SSL inspection". If the TLS details are not inspected with peek - then the details you want will not be available. You can see that in the above example. The ssl_bump access controls are now tested repeatedly in a series of "steps" with the first matching action which is valid at the step being performed. So I suspect the only working configurations will use the at_step ACL type to restrict where the rest of the tests will be performed. If you look at the documentation for that ACL it shows the steps are only before/after the client and server Hello messages. I think you want to peek at step SslBump1 and splice at step SslBump3. Or maybe peek at step 1 and 2 then splice at 3. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUVwMDAAoJELJo5wb/XPRjVsIIALi2WxQ6HzUEZcLCWRnDRHIk m8C/HRZjYGT0ZMs0V6MEWv3ijbta+jeH/1xvNhcMk0y0LiI0Xcw5QKIy4JrBcbJw IyhGcbIeKOuGiOMsvHAS5mL4FV333ql+aY1Ujp3MTjJ2MymXoInTg/FHZqz1HqaN M95J4DQuwyz/ZaT/hsp4eTyBcV8ejuyaKDOo0XmSjwon1RapeSUZi8ohZHMGjb3G R32rfIiqJX8z0PFaDX3wzVASFQ6PpgRPojtjSSjcATcSQm7LPKgXy1+jUPYcogLd K92WrmeN2Y/P+08dUEe2QhGIiORPXAW5DhxnbxfCMInl9981Fbxm9KjKInL2+RY= =J9U6 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
